Solved: Re: Cisco and Checkpoint - no proposal chosen

richi3161 · ‎03-26-2008

Hi,

we had a working IPSEC VPN between IOS Router and Checkpoint FW. Now, after adding host entries to the ACL we got "no proposal chosen".

My question:

=> Can we use more than one entry in a ACL attached to crypto map? <=

Like this for example:

access-list 125 permit ip 172.17.17.160 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.14.6.243

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.50.50.4

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

...

Greetings Richi

pjhenriqs · ‎03-26-2008

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

pjhenriqs · ‎03-26-2008

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

richi3161 · ‎03-26-2008

We found a solution / workaround:

The order of the Cisco ACL was clear, but not from Checkpoint side. So we built up the new encryption domains step by step.

=> after every entry (same network / host object, of course symmetric) we checked the IPSec tunnel

Now are all entries done and tunnel is still active.